Username formats (domain\username, [email protected], etc)

How do you handle slight differences in username format for internal business sites that are all at the same domain?

Examples:
playground.company.com requires username format “company\username”
store.company.com requires username format “company.com\username”
job.company.com requires username format “[email protected]
school.company.com requires username format “username”

Because it’s the same domain and the same account, there is only one password. And before you get into a security tizzy, let me repeat myself - it’s one account with one password. The problem is that the login pages for various services require the username in slightly different formats and often do not accept the username in a different format.

I’ve found a few workarounds so far but none of them are perfect and I’m mostly curious A) if there’s a better built-in way to do this than what I’ve found and B) if there’s a workaround someone else has found that works better for me.

Workaround #1
Set the username to just the username and the domain to the base domain. You’ll have to modify the username on some sites but at least with autofill on that’s a lot less characters you have to type.

Workaround #2
Create a unique login for each username variation and then use regex URI detection to specify exactly which subdomains apply. Biggest downsides here are that you have to update the password in several BW logins each time and it’ll register as a “reused password” in security reports.

Workaround #3
Create a unique login for each username variation but use base domain matching and disable autofill. Each site will show multiple logins that you’ll have to choose from the extension dropdown but two clicks isn’t that bad. It’ll also still register as a “reused password” in security reports.

That is a very tough problem, @jsh - and I think you have identified the best workarounds. I don’t think there is an elegant way to solve this in Bitwarden, unfortunately.

If I had to choose the least intrusive and most reliable method, personally I would be tempted to go with your Workaround #1. It has the advantage of maintaining your credentials in only one login item, so there will never be confusion or failed logins arising from not keeping multiple logins current and in sync. But that depends on how frequently your company requires you to update your password. If it is very infrequently (say once a year) or not at all, then I would go with a variation of Workaround #2 where I use Host URI matching or Starts With URI matching (not REGEX).

Where I work, I am lucky because our Active Directory authentication and the logins to our federated servers basically all accept the ou\username login format, so Workaround #1 is what I currently do. But #2 would be my preference if I had to constantly use different formats. Cheers!

1 Like